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Abstract. In a model-based testing approach as well as for the verifi- 
cation of properties, B models provide an interesting solution. However, 
for industrial applications, the size of their state space often makes them 
hard to handle. To reduce the amount of states, an abstraction function 
can be used, often combining state variable elimination and domain ab- 
stractions of the remaining variables. This paper complements previous 
results, based on domain abstraction for test generation, by adding a pre- 
liminary syntactic abstraction phase, based on variable elimination. We 
define a syntactic transformation that suppresses some variables from a 
B event model, in addition to a method that chooses relevant variables 
according to a test purpose. We propose two methods to compute an 
abstraction A of an initial model M. The first one computes A as a sim- 
ulation of M, and the second one computes A as a bisimulation of M. 
The abstraction process produces a finite state system. We apply this 
abstraction computation to a Model Based Testing process. 

Keywords: Abstraction, Test Generation, (Bi-)Simulation, Slicing. 



1 Introduction 

B models arc well suited for producing tests of an implementation by means of a 
model-based testing approach [1,2] and to verify dynamic properties by model- 
checking [3]. But model-checking as well as test generation require the models 
to be finite, and of tractable size. This is not usually the case with industrial 
applications, for which the exploration of the executions modelled frequently 
comes up against combinatorial explosion problems. Abstraction techniques al- 
low for projecting the (possibly infinite or very large) state space of a system 
onto a small finite set of symbolic states. Abstract models make test generation 
or model-checking possible in practice [4] . In [5] , we have proposed and experi- 
mented with an approach of test generation from abstract models. It appeared 
that the computation time of the abstraction could be very expensive, as evi- 
denced by the Demoney [6] case study. We had replaced a problem of time for 



searching in a state graph with a problem of time for solving proofs, as the ab- 
straction was computed by proving enabledness and reachability conditions on 
symbolic states [7]. 

In this paper, we contribute to solving this proving time problem by defining a 
syntactic abstraction function that requires no proof. Inspired from slicing tech- 
niques [8] , the function works by suppressing some state variables from a model. 
In order to produce a state system that is both finite and sufficiently small, we 
still have to perform a semantic abstraction. This requires that some proof obli- 
gations are solved, but there are less of them than with the initial model, since 
it has been syntactically simplified. This approach results in semantic pruning 
of generated proof obligations as proposed in [9] . 

In Sec. 2, we introduce the notion of B event system and some of the main 
properties of substitution computation. Section 3 presents an Electrical System 
case study that illustrates our approach. In Sec. 4, we first define the set of 
variables to be preserved by the abstraction function and then we define the 
abstraction function itself. We prove that this function is correct in the sense 
that the generated abstract model A simulates or bisimulates the initial model 
M. In this way, the abstraction can be used to verify safety properties and to 
generate tests. In Sec. 5, we present an end to end process to compute test cases 
from a set of observed variables by using both the semantic and the syntactic 
abstractions. In Sec. 6, we compare this process to a completely semantic one 
on several examples, and we evaluate the practical interest for test cases gener- 
ation. Section 7 concludes the paper, gives some future research directions and 
compares our approach to other abstraction methods. 

2 B Event Systems and Refinement 

We use the B notation [10] to describe our models: this section gives the back- 
ground required for reading the paper. Let us first define the following B notions: 
primitive forms of substitution, substitution properties and refinement. Then we 
will summarize the principles of before-after predicates, and conjunctive form 
(CF) of B predicates. 

First introduced by J.-R. Abrial [11], a B event system defines a closed 
specification of a system by a set of events. In the sequel, we use the following 
notations: x, Xi, y, z are variables and X, Y, Z are sets of variables. Vred is 
the set of B predicates. I (g Vred) is an invariant, and P, Pi and P 2 (G Vred) 
denote other predicates. The modifications of the variables are called substitu- 
tions in B, following [12] where the semantics of an assignment is defined as a 
substitution. In B, substitutions are generalized: they are the semantics of every 
kind of action, as expressed by formulas 1 to 4 below. We use S, Si and 5*2 to de- 
note B generalized substitutions, and E, Ei and F to denote B expressions. The 
B events are defined as generalized substitutions. All the substitutions allowed 
in B event systems can be rewritten by means of the five B primitive forms of 
substitutions of Def. 1. Notice that the multiple assignment can be generalized 
to n variables. It is commutative, i.e. x, y := E, F = y, x := F, E. 



Definition 1 (Substitution). The following five substitutions are primitive: 

— single and multiple assignments, denoted as x := E and x, y :— E, F 

— substitution with no effect, denoted as skip 

— guarded substitution, denoted as P => S 

— bounded nondeterministic choice, denoted as SiQS^ 

— substitution with local variable z, denoted as @z.S. 

Notice that the substitution with local variable is mainly used to express the 
unbounded nondeterministic choice denoted by @z.(P => S). Let us specify that 
among the usual structures of specification languages, the conditional substitu- 



tion IF P THEN Si ELSE S 2 END is denoted by (P =► Si)0(--P => S 2 ) with 



the primitive forms. 

Given a substitution S and a post-condition P, it is possible to compute 
the weakest precondition such that if it is satisfied, then P is satisfied after the 
execution of S. The weakest precondition is denoted by [S]P. [x :— E]P is the 
usual substitution of all the free occurrences of x in P by E. For the four other 
primitive forms, the weakest precondition is computed as indicated by formulas 1 
to 4 below, proved in [10]. 



Definition 2 defines correct B event systems. To explicitly refer to a given 
model, we add the name of that model as a subscript to the symbols X, I, Init 
and Ev. Im is for example the invariant of a model M. 

Definition 2 (Correct B Event System). A correct B event system is a 
tuple (X, I, Init, Ev) where: 

— X is a set of state variables, 

— I (G Vred) is an invariant predicate over X , 

— Init is a substitution called initialization, such that the invariant holds in 
any initial state: [Init]I, 

— Ev is a set of event definitions in the shape of evi = Si such that every event 
preserve the invariant: I => [Si]I. 

In Sec. 4, we will prove that an abstraction A that we compute is refined by 
its source event system M, and so we give in Def. 3 the definition of a B event 
system refinement. 

Definition 3 (B Event System Refinement). Let A and R be two correct 
B event systems. Let Ir be their gluing invariant, i.e. a predicate that indicates 
how the values of the variables in R and A relate to each other. R refines A if: 



[skip]P ^ P 
[Pi ^S]P 2 ^ (Pi => [S]P 2 ) 
[Si[]S 2 ]P^[Si]PA[S 2 ]P 
[@z.S]P<*Vz.[S]P 



if z is not free in P 



(1) 
(2) 
(3) 
(4) 
(5) 



Distributivity: [5] (Pi A P 2 ) <S> [S]Pi A [S]P 2 



— any initialization of R is associated to an initialization of A according to Ir: 
[Init R ]^[Init A ]^I R 

— any event ev = Sr of R is an event of A defined by ev = Sa in Eva that 
satisfy Ir: I a /\Ir^ [Sr] -> [Sa] ~<Ir. 

This paper also relies on two more definitions: the before-after predicate and 
the CF form. We denote by Prdx(S) the before-after predicate of a substitution 
S. It defines the relation between the values of the variables of the set X before 
and after the substitution S. A primed variable denotes its after value. From [10], 
the before-after predicate is defined by: 

Prd x (S) = ^[SH /\ (x = x')). (6) 

x£X 

Definition 4 (Conjunctive Form). A B predicate P € Vred is in CF when it 
is a conjunction p\ l\pi A . . . Ap n where every pi is a disjunction p\ Wpf V . . . Vp™ 
such that any p\ is an elementary predicate in one of the following two forms: 

— E(Y) r F(Z), where E(Y) and F(Z) are B expressions on the sets of vari- 
ables Y and Z and r is a relational operator, 

— yz.P or 3z.P, where P is a B predicate in CF. 

Section 4 will define predicate transformation rules. We put the predicates in 
CF according to Def. 4 before their transformation. This allows the transforma- 
tion to be correct although the negation is not monotonic w.r.t a transformation 
T of the predicates: T(-.P) ^ ^T(P). 



3 Electrical System Example 

We describe in this section a B event system that we will use in this paper as a 
running example to illustrate our proposal. 
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Fig. 1. Electrical System 



A device D is powered by one of three batteries Bi,B2, B$ as shown in Fig. 1. 
A switch connects (or not) a battery Bi to the device D. A clock H periodically 
sends a signal that causes a commutation of the switches, i.e. a change of the 
battery in charge of powering the device D. The working of the system must 
satisfy the three following requirements: 



— Req\. no short-circuit, i.e. there is only one switch closed at a time, 

— Reqi'- continuous power supply, i.e. there is always one switch closed, 

— Req 3 : a signal from the clock always changes the switch that is closed. 

The batteries are subject to electrical failures. If it occurs to the battery that 
is powering D, the system triggers an exceptional commutation to satisfy the 
requirement Reqi- The broken batteries are replaced by a maintenance service. 
We assume that it works fast enough for not having more than two batteries 
down at the same time. When two batteries are down, the requirement Req 3 is 
relaxed and the clock signal leaves unchanged the switch that is closed. 

This system is modeled in Fig. 2 by means of three variables. H models the 
clock and takes two values: tic when it asks for a commutation and tac when 
this commutation has occurred. Sw models the state of the three switches by 
an integer between 1 and 3: Sw = i indicates that the switch i is closed while 
the others are opened. This modelling makes that requirements Reqi and Req2 
necessarily hold. Bat models the electrical failures by a total function. The ko 
value for a battery indicates that it is down. In addition to the typing of the 
variables, the invariant I expresses the assumption that at least one battery is 
not down by stating that Bat(Sw) — ok. Notice that the requirement Req% is 
a dynamic property, not formalized in /. The initial state is defined by Init in 
Fig. 2. The behavior of the system is described by four events: 

— Tic sends a commutation command, 

— Com 1 performs a commutation (i.e. changes the closed switch), 

— Fail simulates an electrical failure on one of the batteries, 

— Rep simulates a maintenance intervention replacing a down battery. 



x = {H, Sw, Bat} 

I = H G {tic, tac} A Sw G 1..3 A (Sat G 1..3 — > {ok, ko}) A Bat(Sw) = ok 

Init = H, Sw, Bat := tac, 1, {1 i-> ok, 2 i-> ok, 3 ok} 

Tic = H — tac => H \= tic 

Com = card(Satl> {ok}) > 1 A H — tic => 

@ns.(ns £ 1..3 A Batons) — ok A ns ^ Sw H, Sw :— tac, ns) 
Fail = card(Sat > {ok}) > 1 => 

@nb.(nb G 1..3 A nb G dom(Bat > {ok}) =>■ 

(nb — Sw ^> @ns.(ns G 1..3 Ans / Sw A Bat(ns) — ok Sw, Bat(nb) :— ns, ko)) 
[](nb Sw => Bat(nb) := ko)) 
Rep = @nb.(nb G 1..3 A nb G dom(Bot > {ko}) => Bat(nb) := ok) 

Fig. 2. B Specification of the Electrical System 



4 Syntactic Abstraction 

We define in this paper a syntactical abstraction method that applies to B mod- 
els. Similar rules could be adapted for more generic formalisms such as pre-post 
models or transition systems. 

1 An expression r > E denotes a relation where the range is restricted by the set E. 
For example, {1 n- ok, 2 t-s- ko, 3 H» ok} D> {ok} = ok, 3 <-¥ ok}. 



Our intention is to obtain an abstract model A of a model M by observing only 
a subset of the state variables Xm of M. For instance, to test the electrical 
system in the particular cases where two batteries are down, we observe only 
the variable Bat. But to preserve the behaviors of M related to the variables of 
Xa, wc also keep in A the variables used to assign the observed variables or to 
define the conditions under which they are assigned. 

We first present two methods to compute a set of abstract variables accord- 
ing to a set of observed variables. Using these variables we define a predicate 
and substitution transformation function. Then we describe how to compute an 
abstraction of a B event model M . The abstraction is a bisimulation of M when 
the abstract variables were computed according to the second method. We also 
prove that if they were computed according to the first method, the abstraction 
is a simulation of M. 

4.1 Choosing the Abstract Variables 

As proposed in [13], we distinguish between the observed variables and the ab- 
stract ones. A set A"a of abstract variables is the union of a set of observed 
variables with a set of relevant variables. The Observed variables are the ones 
used by the tester in a test purpose, while the relevant variables are the ones 
used to describe the evolutions of the observed variables. More precisely, the 
relevant variables are the ones used to assign an observed variable (data-flow 
dependency), augmented with the variables used to express when such an as- 
signment occurs (control-flow dependency). 

A naive method to define X/\ is to syntactically collect the variables that are 
cither on the right side or in the guard of the assignment of an observed variable. 
But this method will in most cases select a very large amount of variables, mainly 
because of the guard. For instance, if x is the observed variable, then y is not 
relevant in (y => x, z := E, F)[](^y => x := E). A similar weakness goes for the 
unbounded non-deterministic choice @z.(P => S). 

Hence our contribution consists of two methods for identifying the relevant 
variables. The first one only considers the data-flow dependency. It is efficient, 
but may select a set too small of relevant variables, resulting in a set with too 
many behaviors in the abstracted model. The second one uses both data and 
control flow dependencies, but requires a predicate simplification to restrict the 
size of X/\. It produces abstract models that have the same set of behaviors as 
the original model, w.r.t. the abstract variables. This second method may select 
a set with too many relevant variables because predicate simplification is an 
undecidable problem. 

Proposition 1: Data-Flow Dependency Only This first method considers 
as relevant only the variables that appear on the right side of an assignment 
symbol to an abstract variable. Starting from the set of observed variables, the 
set of all abstract variables is computed as the least fix-point when adding the 
relevant variables. For instance, the set of relevant variables of the electrical 



system is empty if the set of observed variables is {Bat}. Hence if a test purpose 
is only based on Bat, then Aa = {Bat}. A drawback of this method is that it 
can introduce in A new execution traces w.r.t. M. Indeed, it may weaken the 
guards of some of the events, that would thus become enabled more often. 

Proposition 2: Data-Flow and Control-Flow Dependencies This second 
method first computes a predicate characterizing a condition under which an 
abstract variable is modified, then simplifies it, and finally considers all its free 
variables as relevant. We express by means of formula 7 the modifications really 
performed by a substitution S on a set Aa: 

Mod XA (S) = Prd XA {S) A( \f x=£x). (7) 

Our intention is that the predicate, that defines the condition under which an 
abstract variable is modified, only involves the variables really required to modify 
it. Hence primed variables are not quantified, but are allowed to be free. For 
instance, consider X& = {x} and the substitution x:=y[}(z>0 => x:=w)[]v:=3. 
The predicate has to be in the shape of: x' =i/V(z > A x' = w), where the 
variables y, w and z are relevant whereas v is not. 

The Modx h predicate can also be defined by induction on the primitive 
substitutions, as described in appendix A. 

Finally, Aa is computed as a least fix-point, by iteratively incrementing for 
each event the initial set of observed variables with the relevant variables. This 
process terminates since the set of variables is finite. For instance, Mod{ Bat } 
gives an empty set of relevant variables when applied to the example, as shown 
in Fig. 3, while Mod{H} gives Aa = {Bat,H}. 

Mod^ Bat } (Init) -S- Bat = {ln ok, 2 i-> ok, 3 i-> ok} 
Mod^ Bat }(Tic) <3- false (no assignment of Bat) 
Mod{ Bat }(Com) ^ false (no assignment of Bat) 
Mod {Bat y (Fail) card(Bot > {ok}) > 1 

A3nfc.(ri6 G 1..3 A nb e dom(Sat > {ok}) A Bat' (nb) = ko) 
Mod{ Bat y(Rep) <S- 3nb.(nb e 1..3 A nb G dom(Bat l> {ko}) A Bat' (nb) = ok) 

Fig. 3. Mod{ Bat ^ Computation Applied to the Example 



4.2 Predicate Transformation 

Once the set of abstract variables Aa(C Xu) is defined, wc have to describe 
how to abstract a model according to Aa- We first define the transformation 
function Tx A (P) that abstracts a predicate P according to Aa- We define Tx on 
predicates in the conjunctive form (see Def. 4) by induction with the rules given 
in Fig. 4. 

An elementary predicate is left unchanged when all the variables used in 
the predicate are considered in the abstraction (see the rule i?i). Otherwise, 



when an expression depends on some variables not kept in the abstraction, an 
elementary predicate is undetermined (see the rule Ri). As we want to weaken 
the predicate, we replace an undetermined elementary predicate by true. Con- 
sequently, a predicate Pi A Pi is transformed into P\ when P 2 is undetermined, 
and a predicate P\ V Pi is transformed into true when P\ or Pi is undetermined 
(see the rules R 3 and R4). Finally, the transformation of a quantified predicate 
is the transformation of its body w.r.t. the observed variables, augmented with 
the quantified variable (see the rule i? 5 ). 



T X (E(Y) r E(Z)) = E(Y) r E(Z) if Y C X and Z C X (Rx) 

T X (E(Y) r E(Z)) = true if Y g X or Z g X (R 2 ) 

T x (PiV P 2 ) = T X (P 1 )VT X (P 2 ) (R 3 ) 

T x (Pi AP 2 ) = Tx(Pi) f\T x {P 2 ) (R 4 ) 

T x (az.P) = az.T xu{z} (P) (R 5 ) 



Fig. 4. CF Predicate Transformation Rules 



For example the invariant / of the electrical system is transformed, according 
to the single variable Bat, into T{ Bat }(J) = Bat 6 1..3 — > {ok, ko} as in Fig. 5. 



P{Bat}(if S {tic, tac} A Swe 1..3 A Bate 1..3 -> {ok. ko} A Bat(Sw)=ok) 
_ T {Bat} (He{Uc,tac})AT {Bat} (Swel..3) aDDlvine Ra 

~ A T {Bat} (Bat€1..3 -> {ok,ko}) AT {Bat} (Bat(Sw) = ok) applying _ft 4 

= Bat G 1..3 — > {ok, ko} applying _Ri and R 2 



Fig. 5. Example of Predicate Transformation 



Property 1. Let P be a CF predicate in Vred and let X be a set of variables. 
P => T X (P) is valid. 

Proof. As we said before, Tx{P) is weaker than P. Indeed, for any predicate P in 
CF there exist p\ and pi such that P — p\ hpi and such that it is transformed 
cither into p\ A pi, or into pi, or into pi, or into true, by application of the 
transformation rules Ri. For any disjunctive predicate P there exist p\ and }?2 
such that P = pi V pi and p\ V p 2 is transformed either into p\ V pi or into true. 

4.3 Substitution Transformation 

The abstraction of substitutions is defined through cases in Fig. 6 on the primi- 
tive forms of substitutions. Intuitively, any assignment x :— E is preserved into 
the transformed model if and only if x is an abstract variable. According to both 
of the two methods described in sec. 4.1, if x is an abstract variable, then so are 
all the variables in E. Therefore, in rules R§ to Rn, we do not transform the 
expressions E and F. 

A substitution is abstracted by skip when it does not modify any variable 
from X (see rules Rq, Rs, R9 and Rio in which y := F is abstracted by skip). 



The assignment of a variable x is left unchanged if x is an abstract variable (see 
rules i? 7 , i?i , i?n). The transformation of a guarded substitution S is such that 
Tx{S) is enabled at least as often as S, since Tx{P) is weaker than P from 
Prop. 1 (see rule R\2). The bounded non deterministic choice S\ [] 52 becomes a 
bounded non deterministic choice between the abstraction of S\ and S2 (see rule 
i? 13 ). The quantified substitution is transformed by inserting the bound variable 
into the set of abstract variables (see rule R14). 



T x (x ~ E)= skip if x £ X (R 6 ) 

T x (x := E) = x := E if x e X (R 7 ) 

Tx(skip) = skip (Rs) 

T x (x, y := E, F) = skip if x <£ X and y <£ X (R 9 ) 

T x (x, y ■— E, F) = x := E if x e X and y <£ X (Rio) 

T x (x, y :— E, F)= x, y := E, F if x e X and y e X (Rn ) 

T X (P=>S)= Tx(P)^T x (S) (R 12 ) 

T X (S 1 []S 2 ) = Tx(S 1 )[]T x (S 2 ) (R13) 

T x (@z.S) = @z.T XU {z}(S) (R14) 



Fig. 6. Primitive Substitution Transformation Rules 



4.4 B Event System Transformation 

According to the predicate and substitution transformation functions (see fig- 
ure 4 and figure 6), we define the transformation of a B event model according to 
a set of abstract variables (section 4.1) in Def. 5. This transformation translates 
a correct model M into a model A that simulates M (Sec. 4.5). The electrical 
system is transformed as shown in Fig. 7 for the set of abstract variables {Bat}. 

Definition 5 (B Event System Transformation). Let Xa be a set of ab- 
stract variables, defined as in Sec. 4-1 from a set of observed variables X with 
X C Xm- A correct B event system M =(Xm, Im, InitM, Evm) is abstracted as 
the B event system A = (Xa, Ia, InitA, Eva) as follows: 

— Xa C Xm, the set of abstract variables is a subset of the state variables, 

— I a = Tx a {Im), the invariant is transformed, 

— InitA = Tx A (InitM), the initialization is transformed, 

— to each event ev = Sm in Evm is associated ev = Tx a {Sm) in Eva- 

4.5 Correctness 

When the set of abstract variables Xa preserve both the data and control flows 
as defined in Sec. 4.1 (Proposition 2), the transition relation, restricted to Xa, is 
preserved, as proved (see appendix C) by theorem 1. A and M have an equivalent 
before-after relation Prdx A , therefore they are bisimilar. Hence when a CTL* 
property is verified on A it holds on M and test cases generated from A can 
always be instantiated on M. 



Theorem 1. Let S be a substitution. Let X be a set of abstract variables com- 
posed of any free variable of Modx(S), we have Prdx(S) Prdx(Tx(S)). 

With the method defined in Sec. 4.1 by Proposition 1, A is a simulation of 
M. The B refinement relation (see Def. 3) is proven in [14] to be a simulation: 
A simulates M by a r-simulation. r is a silent action corresponding in our case 
to an event reduced to skip or to P => skip. Theorems 2 and 3 establish that M 
refines A, and thus that A simulates M. The safety properties are preserved, but 
some tests generated from A might be impossible to instantiate on M. 

Theorem 2. Let L be a CF invariant of a correct B event system, let S be a 
substitution and let X be a set of abstract variables. The transformation rules 
i?6 to i?i4 are such that 5 refines Tx{S) according to the invariant I. 

Theorem 3. Let X be a set of abstract variables defined as in Proposition 1. 
Let Tx be the transformation defined in Fig. 6, and let A be an abstraction of 
an event system M defined according to Def. 5. A is refined by M in the sense of 
Def. 3. 

Theorem 2 establishes that any substitution 5 refines its transformation 
Tx{S) for a given set of abstract variables X. The proof is given in Appendix B. 
Theorem 3 establishes that a B event system M refines the B abstract system 
obtained according to Def. 5 by applying to M the transformation rules of Fig. 4 
and Fig. 6. 

Proof (of theorem 3). This is a direct consequence of theorem 2 and Def. 5 since 
the substitution Initu = Tx{Initu) is refined by Initu, and that for any event 
ev = 5m, the substitution 5a = Tx(Sm) is refined by 5m- 



x = {Bat} 

I = Bat e 1..3 -> {ok,ko} 

Init — Bat :— {1 i — y ok. 2 h- > ok. 3 >— > ok} 

Tic — skip 

Com = card(Bai l> {ok}) > 1 =>• @ns.(ns £ 1..3 A Bat(ns) = ok => skip) 
Fail = card(Bat > {ok}) > 1 => 

@nb.(nb 6 1..3 A nb G dom(Bat l> {ok}) => Bat(nb) := ko) 
Rep = @nb.(nb £ 1..3 A nb £ dom{Bat > {ko}) =>■ Bat(nb) := ok) 

Fig. 7. B Syntactically Abstracted Specification of the Electrical System 



5 Application of the Method to a Testing Process 

We show in this section how to use the syntactic abstraction in a model-based 
testing approach. 



5.1 Test Generation from an Abstraction 

We have described in [5] a model-based testing process using an abstraction as 
input. It can be summarized as follows. A validation engineer describes by means 
of a handwritten test purpose TP how he intends to test the system, according to 
his know-how. We have proposed in [15] a language based on regular expressions, 
to describe a TP as a sequence of actions to fire and states to reach (targeted 
by these actions). The actions can be explicitly called in the shape of event 
names, or left unspecified by the use of a generic name. The unspecified calls 
then have to be replaced with explicit event names. However, a combinatorial 
explosion problem occurs, when searching in a concrete model for the possible 
replacements that lead to the target states. This leads us to use abstractions 
instead of concrete models. Figure 8 shows our approach. 



We perform a synchronized product between an abstraction A and the au- 
tomaton of a TP. This results in a model SP whose executions are the executions 
of A that match the TP. An implementation [16] of the Chinese Postman algo- 
rithm is applied to SP to cover its transitions. The result is a set of abstract 
symbolic tests AST. These tests are instantiated from M as a set IT of instanti- 
ated tests. 

5.2 Abstraction Computation 

We show in this section two ways of producing an abstraction A that can be 
used as an input of the process of Fig. 8. The syntactic abstraction of Sec. 4 is 
used in one of these two ways. 

In order to compute the synchronized product of an abstraction A with the 
automaton of a TP, we compute the semantics of A as a labelled transition 
system. We use GeneSyst [7] for that purpose. This tool computes a semantic 
abstraction of a B model in the shape of a symbolic labelled transition system. 
The semantic abstraction relies on feasibility proofs of the transitions between 
two symbolic states. GeneSyst generates proof obligations (POs) for each of 
the potential transitions between two symbolic states, and tries to solve them 
automatically. 

The two main drawbacks of this process are its time cost and the proportion 
of POs not automatically solved. Indeed, each unsolved PO results in a transition 
that is kept in the symbolic labelled transition system, although it is possibly 
unfeasible. An abstract symbolic test going through such a transition may be 




Fig. 8. Generating Tests from Test Purpose by Abstraction 



impossible to instantiate from the concrete model M . By applying a preliminary 
phase of syntactic abstraction, we reduce the impact of that problem by reducing 
the number and the size of the POs, since GeneSyst operates on an already 
abstracted model. For example, no proof obligation is generated for an event 
reduced to skip (it becomes a reflexive transition on any symbolic state). 




Fig. 9. Abstraction Process 



The experimental results presented in Sec. 6 compare two approaches. The 
first one (see Fig. 9/Process 1) is only semantic, while the second one (see 
Fig. 9/Process 2) combines a syntactic and a semantic abstraction. 



6 Experimental Results 

We have applied our method to four case studies. They are various cases of 
reactive systems: an automatic conveying system (Robot [17]), a reverse phone 
book service (Qui-Donc [2]), the electrical system 2 (Electr.) and an electronic 
purse (DeMoney [6]). Each one is abstracted w.r.t. two sets of abstract variables. 
These sets have been computed according to Proposition 1 of Sec. 4.1. We also 
have tried to compute the abstract variables according to Proposition 2, but all 
the variables have been computed as abstract in three case studies. Only for the 
electrical system the set of abstract variables was the same as with Proposition 1. 
These case studies reveal a limit in the application of Proposition 2. 

In Sec. 6.1 we present an experimental evaluation of the syntactic abstraction. 
Then, in Sec. 6.2 we compare Am with Aa respectively computed by the semantic 
abstraction process or by its combination with the syntactic one. 



6.1 Impact of the Syntactic Abstraction on Models 

Table 1 indicates the size of the case studies and the syntactically abstracted 
models. The Symbols "ft", "Ev.", "Var." and "Pot." respectively stand for num- 
ber of, Events, Variables and Potential. For example the Robot, defined by 9 
events and 6 variables is abstracted w.r.t. two sets of respectively 3 and 4 ab- 
stract variables. 

2 The 100 lines length of the model, in Table 1, refer to a "verbose" version of the 
model, much more readable than our version of Fig. 2. 
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Table 1. Size of the Case Studies and of their Syntactical Abstractions 



A direct observable result of the syntactic abstraction is a reduction of the 
number of potential states of the model. Also notice that the simplification 
reduces from 10% up to 50% the number of lines of the model. 

6.2 Comparison of the Abstraction Processes 1 and 2 
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Table 2. Comparison of the semantic and syntactic/semantic abstraction processes 



Table 2 compares the abstractions computed either directly from the behav- 
ioral models (see process 1 in Fig. 9), or from their syntactic abstractions (see 
process 2 in Fig. 9). The abbreviations "Trans.", "Unau.", "Inst." and "Cover." 
stand respectively for transitions, unauthorized, instantiated and coverage. 

We see on our examples that there is between 1.8 and 2.3 fewer POs to com- 
pute with process 2 than with process 1, except for the Qui-Donc. The semantic 
abstraction computation in process 2 takes from twice up to five times less time 
than in process 1, where no previous syntactic abstraction have been performed. 
For the Qui-Donc, the syntactical abstraction has too much over-approximated 
the initial model, which explains the augmentation of the POs w.r.t. the pro- 
cess 1. Finally, there are four cases out of eight where the abstraction „4a is more 
precise than Am in the sense that it has less transitions, due to the reduction 
of the number of unproved POs. In these four cases, the set of traces of Aa 
is included in the set of traces of „4m- In the case of the electrical system, the 
set of traces are equal. In the Qui-Donc case, the traces cannot be compared. 
The simplification by the syntactic abstraction of the events and of the invariant 
makes that „4a may contain more transitions (thus more traces) than Am- But 
the number and the difficulty of the POs is greater to get „4m than to get „4a, 



so that proof failures may occur more often with Am. As a result, Am can also 
contain transitions that are not in .4a- 

As for the ratios of tests instantiated and of transitions covered of the abstrac- 
tion, we observe their stability with or without syntactic abstraction. Although 
the ratios are a bit better (or equal) for the Robot and the Electrical System, 
and a bit worse for Qui-Donc and Demoney, they are mainly very close to each 
other. But, due to the reduction of the number of POs, the time to obtain these 
comparable results is improved with process 2, i.e. when there is a preliminary 
syntactic abstraction phase. Again, this is not true for the Qui-Donc since on 
the contrary, its number of POs has increased. 

Finally, the method had no interest with the Qui-Donc, which was the small- 
est example. But, as shown by DeMoney, its efficiency in terms of gain of the 
abstraction computation time, of reduction of the number of unproved POs and 
of precision of the abstraction, grows with the size of the examples. 

7 Conclusion, Related Works and Further works 

We have presented in the B framework a method for abstracting an event system 
by elimination of some state variables. In this context, we have proposed two 
methods to compute the set of variables kept in the abstraction according to 
the set of observed variables. We have proved that when using the first method, 
the generated abstraction simulates the concrete model, while when using the 
second method, the generated abstraction bi-simulates the concrete model. This 
is useful for verifying safety properties and generating tests. 

In the context of test generation, our method consists in initializing the 
test generation process from event B model described in [5], by a syntactic 
abstraction. Since the syntactic abstraction reduces the size of the model, the 
main advantage of this method is that it reduces the set of uninstantiable tests, 
by reducing the level of abstraction (reduces the number of PO generated and 
facilitates the proof of the remaining PO). Moreover, this results in a gain of 
computation time. We believe that the bigger the ratio of the number of state 
variables to the number of observed variables is, the bigger the gain is. This 
conjecture needs to be confirmed by experiments on industrial size applications. 

Many other works define model abstraction methods to verify properties 
or to generate tests. The method of [18] uses an extension of the model-checker 
Mur</> to compute tests from projected state coverage criteria that eliminate some 
state variables and project others on abstract domains. In [19], an abstraction is 
computed by partition analysis of a state-based specification, based on the pre 
and post conditions of the operations. Constraint solving techniques are used. 
The methods of [20-22] use theorem proving to compute the abstract model, 
which is defined over boolean variables that correspond to a set of a priori fixed 
predicates. In contrast, our method first introduces a syntactical abstraction 
computation from a set of observed variables, and further abstracts it by theorem 
proving. [23] also performs a syntactic transformation, but requires the use of a 
constraint solver during a model checking process. 



Other automatic abstraction methods [24] are limited to finite state systems. 
The deductive model checking algorithm of [25] produces an abstraction w.r.t. 
a LTL property by an iterative refinement process that requires human exper- 
tise. Our method can handle infinite state space specifications. The paper [26] 
presents a syntactic abstraction method for guarded command programs based 
on assignment substitution. The method is sound and complete for programs 
without unbounded non determinism. However, the method is iterative and does 
not terminate in the general case. It requires the user to give an upper-bound of 
the number of iterations. The paper also presents an extension for unbounded 
non deterministic programs that is sound but not complete, due to an expo- 
nential number of predicates generated at each iteration step. In contrast, our 
syntactic method is iterative on the syntactic structure of the specifications. It 
is sound but not complete. It handles unbounded non deterministic specifica- 
tions with no need for other iterative process and always terminates. Above all, 
our method does not compute any weakest precondition whereas the approach 
in [26] does, which possibly introduces infinitely many new predicates. 



The syntactic method that we have presented is correct, but, in the case of 
Proposition 1, may sometimes produce inaccurate over- approximations due to 
a too strong abstraction (see for example the experiments on the Qui-Donc). 
Proposition 2 produces a bisimulation, but may leave the initial model un- 
changed, i.e. not abstracted, if all the variables are computed as abstract. We 
have to find a compromise between the two propositions, that would reduce the 
number of abstract variables, but that would keep at least partially the control 
structure of the operations. Also, we think that rules could be improved to get 
a finer approximation. For instance, improving the rules is possible when the 
invariant contains an equivalence such as x = c <=> y = c'. If y is an eliminated 
variable and x an observed one, we could substitute all the occurrences of the 
elementary predicate y = d with x = c. This would preserve the property in 
the syntactic abstraction Aa, so that the following semantic abstraction would 
be more accurate. Such rules should prevent the addition of transitions in the 
Qui-Donc abstraction Aa w.r.t. Am- 

We think that extending the test generation method introduced in [5] by 
using a combination of syntactic and semantic abstractions will improve the 
method, since the abstraction is more accurate if there are less unproved POs. 
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A Inductive Definition of Mod x 



The Modx predicate can be defined by induction through primitive substitu- 
tions, as described in Table 3. Intuitively, an assignment x := E is associated to 
false if and only if x is not in X or x already has the same value as E. Other 
assignment cases are just some generalizations. This implements the data-flow 
dependency. For control flow dependency, a non-deterministic choice is an union 
between control-flow branches, thus a disjunction between predicates, and a 
guarded substitution P =>- 5 is associated to the whole condition P augmented 
with the result of the analysis of 5. Once this predicate is expressed, it needs to 
be logically simplified. 



Substitution Modification Predicate Condition 



Mod x ■= E) = false x £ X 

Mod x (x := E) = x — E A A ieX -(i)( z ' = z) /\ x x' x £ X 

Mod x (x,y := E, F) = false x jg X A y jg X 

Modx(x,y := E , F) = x' = E A A ze x-{x}( z ' = z ) A x ^ x ' x e X /\ y f X 

Modx(x,y~E,F) = x' = E A y' = F A A, e x-{*, y} ( z ' = z ) A V, e{:c , y } # *') a; G X A y £ X 

Modx (skip) = false 

Modx(P^S) = PA Modx(S) 

Modx(Si [] S 2 ) = Modx(Si) V Modx(S2) 

Mod x (@z ■ S) S ■ Mod X uU} (S) 



Table 3. Modx(S) Predicate Defined through Primitive Substitutions 



Property 2. Modx{S) defined in Table 3 satisfy the definition in formula (7). 

Proof (of property 2). For any case of 5, we prove that Modx(S) defined as 
in Formula (7) replacing Prdx(S) by its definition given in formula (6) and 
transformed by the formulas (1) to (4) is equal to its value in Table 3. 



B Proof of Theorem 2 

Proof. The refinement theory as defined in B [10], requires that variable sets 
from abstraction and variable sets from refinement are disjoint. If a variable 
x is preserved through the refinement process, then it has to be renamed, i.e. 
^renamed, and associated by a gluing invariant, i.e. x — x rename d- In order to 
prove the correctness of the refinement, we introduce the Ren() function, which 
renames every variable from a substitution or a predicate. Hence, the invariant 7a 
abstracted from Jm and the substitution Sa abstracted from any 5m are defined 
as follows: 

J A = Ren(T x (/ M )) Sa = Ren(T x (S M )) 

To prove that 5m is a correct refinement of 5a, we need to prove (Def. 3): 

PCa A PC M A/aA/mA/g^ [SmH-SaK/m A h) (-R15) 



where Ig is the gluing invariant Iq = /\ x ex( Xi = Re n (#*))- In order to prove 
formula (-R15), it is sufficient to establish that the following two formulas hold: 
PC A A PC M A J A A J m A I g => [S M ]^[S A ]^I M (R 16 ) 
PC A A PC M A J a A Jm A I G => [SmH-SaKg (Pit) 

Since free variable sets from and Jm are strictly disjoint, (Rie) can be rewritten 
as: PCa A PCm A/aA/mA/g [SmKm, that holds, since the initial model M is 
correct. Hence, we only have to establish (-R17) to prove Theorem 2. The proof 
is by induction on the five primitive forms of substitutions. We make a case 
analysis for each rule in Fig. 6. We use Prop. 1 of Sec. 4.2 and axioms (1 to 5) 
defined in Sec. 2. 

We denote by Hyps the repetitive predicate Hyps = PCa A PCm A/aA/mMg- 

Case Sm = x := E 

Rule R& 5a = skip when x X 

is Hyps => [x :— E]-^[skip\^Ic valid ? 
It is valid, according to (1), since x is not free in J G . 
Rule R7 Sa = Ren(a^) := Ren(P) when x 6 X 

is Hyps^> [x := E]^[Ren(x) := Ren(£)]-J G valid ? 
It is valid since Rule P7 is the identity. 
Case Sm = skip 

Rule R s Sa = skip 

Hyps => [skip\-^[skip\-^Ic is obviously valid according to (1). 
Case Sm = x, y := E, F 

Rules P9 to Pn proofs are similar to the first case. 
Case Sm = P =>• S 

Rule P12 Sa = Ren(T x (P)) => Ren(Tx(S)) 

is Hyps [P 5] -. [Ren (Tx(P)) => Ren(Tx(S))]-J G valid ? 
= Hyps => P =► [S](Ren(Tx(P)) A -n[Ren(Tx(S))b/ G ) - applying (2) 

(P 12 .l) (Pj/psAP => [5] Ren (Tx(P))) _ , . 

A (P 12 .2) (HypsAP^ [Sb[Ren(Tx(S))b/ G ) applying W 

According to Prop 1, (P12.I) holds since S variables are not free in Ren(Tx (P)) 
and since 7g is in Hyps. (P12.2) is valid w.r.t. the induction hypothesis: 
Hyps^[SHRe n (T x (S))}^I G . 
Case Sm = S [] S' 

Rule R 13 S A = Ren(Tx(S))[]Ren(Tx(S')) 

is Hyps^ [S [] S"]-.[Ren(Tx(S'))QRen(Tx(S"))]-' 7 G valid ? 
= Hyps^ [SQ S'](-[Ren(Tx(S))]-/ G V-[Ren(Tx(S'))]-/G) - applying (3) 
f (^p^[S]h[Ren(Tx(S))]^J G V^[Ren(rx(S'))]-/ G )) _ 
[A(^p S ^[S'](-[Ren(Tx(S))]-/ G V-[Ren(Tx(S'))]-/G)) a PP™ W 
This formula is valid because the two induction hypotheses are valid: 

1. Hyps^ [S]-[Ren(Tx(S))]-/ G , 

2. P</ps=^ [S'HRen(Tx(S'))K G . 
Case S M = @z.S 

Rule R 14 S A = Ren(@z.Tx u{z} (S)) 

is Hyps^> [@z.S]^[Ren(@z.T xu{z} (S))]^I G valid ? 

ee Hyps => V 2 .[S]^VRen(2).[Ren(Txu{,}(S))]-J G - applying (4) 

It is valid since the following formula is implied by the induction hypothesis: 
Hyps Vz3Ren(z).(z = Ren(z) A [S]^[Ren(T xu{z} (Sj)]^{I G A z = Ren(z))) 

Hence, Theorem 2 holds. 



C Prd x (M) = Prd x {T x {M)) ? 

Let S be a substitution. Let X be a set of abstract variables composed of any 
free variable of Modx(S) (see Proposition 2 in Sec. 4.1). We propose to prove 
that the following formula holds: Prd x (S) Prd x (T x (S)). 

Since Prd x (S) = ^[S]^ f\ xeX x = x' (see formula (6) in Sec. 2), we verify 
it by induction through primitive substitutions proving that [S]P [T X (S)]P 
holds when P is defined only in terms of abstract variables in X . 

Let [T X (S)]P ^ [S]P be the induction hypothesis: 

[T X (S)]P O [S]P Condition or justification 

[skip\P o [x := E\P if x £ X 

[x := E]P [x := E]P ii x e X 

[akip]P <4> [skip]P 



[skip]P O [x, y 

[x :- E]P o [x, y 

[y ■- F]P o [x, y 

B := E, F]P [x, y 



= E, F]P if a; £ X and y £ X 

= E, F]P ii x e X and y £ X 

= E, F]P if x <£ X and y £ X 

= E, F]P ifiEXantltjGX 



Tx(Pl) [Tx(S)]P -M- Pi => [S]P since Tx(Pl) = Pi according to 

Mod x (Pi => S) definition. 

[T x (Si)[]T x (S 2 )]P -M- [Si[]S 2 ]P by induction hypothesis 

[@z.T xu{i }(5)]P <4> [@z.S]P by formula 5 and induction hypothesis 



Notice that the hypothesis when P is defined only in terms of abstract vari- 
ables X induces that [x := E]P = P when x £ X because there is no occurrence 
of x in P. 

We can then conclude that the set of behaviors on the set of abstract variables 
X of an event ev is unchanged when we simplify it by T X . 



